Technology and software vendors can be required to notify US government customers in the event of a data breach or any other security compromise, proposes an executive order from President Joe Biden.
According to Reuters, which heard a spokesman for the U.S. National Security Council (CSN), the project is still in the development phase and is due to be presented to authorities later this week.
If approved, it will compel the affected companies to work directly with the FBI and the Infrastructure and Cyber Security Agency (CISA) to resolve the case..
In addition, government organizations must set up multi-factor authentication by default in their systems, as well as data encryption.
The government believes the rule could void non-disclosure agreements in cases of information security incidents, preventing employees from having access to more data during the investigation, in addition to other damage caused by non-disclosure of leaks.
SolarWinds Incident Response
The project was developed in response to the attack on the SolarWinds supply chain, which became known as “One of the most sophisticated attacks of the decade”.
According to a Reuters source, “the federal government needs to be able to investigate and remedy threats to the services it provides to the American people as quickly as possible. ”
The US does not have a single law for the entire country regarding security and data leakage, so cryptography and multi-factor authentication is still not a standard among government companies. Some states, like California, for example, require any company to notify its customers of data leaks, but this is not a national level rule.
According to Reuters, the congress of USA has tried to establish such a law in the past, but it has not been concluded go against the interest of the industry. This project could be the starting point for such a law, at the national level.
Like the General Data Protection Law (LGPD) in Brazil and the General Data Protection Regulation (GDPR) in Europe, the project proposes the creation of a regulatory agency, represented by members of government agencies and information security companies, but in this case, only government suppliers interfere.
See the original post at: https://thehack.com.br/fornecedores-de-ti-do-governo-dos-eua-podem-ser-obrigados-a-divulgar-vazamentos-de-dados/?rand=48873